Bug#986923: marked as done (jhead: CVE-2021-3496)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 24 Apr 2021 13:18:31 +0000
with message-id <E1laIB5-0009o4-Gw@fasolo.debian.org>
and subject line Bug#986923: fixed in jhead 1:3.04-6
has caused the Debian Bug report #986923,
regarding jhead: CVE-2021-3496
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
986923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986923
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: jhead: CVE-2021-3496
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 14 Apr 2021 14:10:14 +0200
• Message-id: <[🔎] 161840221488.1741635.11009465283935165795.reportbug@eldamar.lan>

Source: jhead
Version: 1:3.04-5
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/Matthias-Wandel/jhead/issues/33
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for jhead.

CVE-2021-3496[0]:
| heap-based buffer overflow in Get16u() in exif.c

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3496
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3496
[1] https://github.com/Matthias-Wandel/jhead/issues/33
[2] https://github.com/Matthias-Wandel/jhead/commit/ca2973f4ce79279c15a09cf400648a757c1721b0

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 986923-close@bugs.debian.org
• Subject: Bug#986923: fixed in jhead 1:3.04-6
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 24 Apr 2021 13:18:31 +0000
• Message-id: <E1laIB5-0009o4-Gw@fasolo.debian.org>
• Reply-to: Stephen Kitt <skitt@debian.org>

Source: jhead
Source-Version: 1:3.04-6
Done: Stephen Kitt <skitt@debian.org>

We believe that the bug you reported is fixed in the latest version of
jhead, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 986923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Kitt <skitt@debian.org> (supplier of updated jhead package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 24 Apr 2021 14:59:38 +0200
Source: jhead
Architecture: source
Version: 1:3.04-6
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Stephen Kitt <skitt@debian.org>
Closes: 968999 972617 986923
Changes:
 jhead (1:3.04-6) unstable; urgency=medium
 .
   * QA upload (Salzburg BSP).
   * CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
     Closes: #986923.
   * Check IPTC lengths. Closes: #968999.
   * Allocate extra room when reading JPEG sections to avoid overflows.
     Closes: #972617.
Checksums-Sha1:
 0ae3d7282a6f16af02cd3b8cd09f020bdfd1d6cb 1795 jhead_3.04-6.dsc
 106826aa215ee31a20106276ed2d8ee2710e772a 8228 jhead_3.04-6.debian.tar.xz
 ceb4569096b7c3693d793974ccf2b18f68a906be 5924 jhead_3.04-6_source.buildinfo
Checksums-Sha256:
 3d786d1e0d28c01d0f4150760da133c3edf22b898c36d65e3cf5e3911350d2a0 1795 jhead_3.04-6.dsc
 5d7a3616bdcff435a94e5c38f96773390a3cbcca2ce092dcfe401fb8e08776fd 8228 jhead_3.04-6.debian.tar.xz
 a0c7d766d46cab476926d6b386e854ecd2bd0155de0a6584ce548697b21a3eaf 5924 jhead_3.04-6_source.buildinfo
Files:
 4dcb30a76ae37f0e84bf54260ef6f4fb 1795 graphics optional jhead_3.04-6.dsc
 1a2a449376706030f3e0cac8705a3fb5 8228 graphics optional jhead_3.04-6.debian.tar.xz
 3d3ac49429bf3ac85143c773ded4c0ac 5924 graphics optional jhead_3.04-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAmCEFk8ACgkQgNMC9Yht
g5w8wRAAjraN5QuHOnynFQA+579WIGCAX7KuI17ziwZh6PwiVwVTQMu6st5JXAA2
BSe+Capu5ko4nH/Hh0I7qjbLoHPUUDODaldxBhM1GuYjluqnPNwNGWpSc0iKGMgr
kKc/LkCHjvXSG7POH2xcdqJsPXJC8jkNmMiT6+FVqLFj1yGpfyv3v8alHkL/S5cj
fJqe0eS+4RAEF455oowtyImPr27INevG33Ea8C/2+aDH7dHE696CTsR7vw/o4Bmd
cdG3vwwa/8jSjNvSVAl1TK7LbpNx6ITClUUZZRK15UuYsojxQvd8FBAWp6fmG35V
mX986Z/tOIqhXDY0hf0vHSwWJOsPmM2rRgeH3p2mzw0KLt1PU5AcWN6lny2UwNRr
N9eWlOWkZwp5qU5vmztbC8pf06P6KfA539C5x6vOpYBvLRsWQTMoOoV/WToWu4l3
lY1qbRQbscckqzMXUJwmnn/SGtlfsugOxBkRhqWJFbrXLjeh5ql1Rp1Cff5y+N3k
6NSmAbAqTu50Wo1koJrxjMhLlv4H0WYCgcfAcX5DiqaWdiS+zbv2YeAXt0YnxWOt
QihN2VwvzB+eBMFd6OiSE7fvBk5JTq9CycTpBlwCA4Dk7UkQOMaiKC4/61aWelnh
JJhFGhMK5x0PmzgR/N7uOcjFUz2NO9qNWEQlz9xNUSbDcg7Dex4=
=/Q+3
-----END PGP SIGNATURE-----

--- End Message ---